With critical infrastructure at risk, White House weighs options in cybersecurity fight

Source: Nathanael Massey, E&E reporter • Posted: Friday, August 9, 2013

It has taken less than half a decade for the concept of cybercrime to migrate from the realm of science fiction into the boardrooms and bureaus of major U.S. institutions. A rash of intellectual property thefts, the recent hack into servers at the Department of Energy and a number of high-profile cyberattacks overseas have put both the private sector and national security services on alert.

Yet despite cybersecurity’s heightened profile, many experts remain concerned that the United States, and the private sector in particular, continues to lag in the face of what appears to be a perpetually evolving threat.

Of principal concern is the country’s critical infrastructure: its electricity grid, water and transportation systems on which basic day-to-day life depends. Speaking at a forum convened by the Bipartisan Policy Center this week, Gen. Michael Hayden noted that the true cost of a cyberattack on this infrastructure would not necessarily appear in its operators’ balance sheets.

“It’s hard to build a business case for [cyberdefense],” said Hayden, who formerly held the post of director of national intelligence and now works as a consultant with the Chertoff Group. “Very often, in the event of a low-probability but high-impact attack, the cost of the attack is less to the industry” — in this case, operators of critical infrastructure — “than it is to the public.”

Hayden noted that weather events like last summer’s super derecho, which knocked out power for much of the Eastern Seaboard, cost far more in lost productivity than the direct repair costs shouldered by utilities.

Meanwhile, cybersecurity remains an expensive proposition. The nation’s energy infrastructure, and its power grid in particular, are becoming increasingly networked to improve reliability and accommodate the addition of new renewable energy sources and new technology such as data storage and electric cars. The growing reliance on interconnectivity creates new “vectors of attack” for cybercriminals and potential vulnerability in the system itself.

At the same time, cyberattacks have grown more sophisticated. Even non-state actors like the hacker group Anonymous are operating on a more sophisticated level than they were a year ago, Hayden noted.

Cyberattack insurance and ‘basic hygiene’

The Obama administration has signaled that it is willing to nudge industry toward a set of best practices, still under development, called the Cybersecurity Framework. The White House announced in a blog post this week that it has developed a suite of potential financial incentives it could make available through the Departments of Homeland Security, Commerce and the Treasury.

“While the set of core practices have been known for years, barriers to adoption exist, such as the challenge of clearly identifying the benefits of making certain cybersecurity investments,” wrote Michael Daniel, special assistant to the president and cybersecurity coordinator.

Adopting these practices wouldn’t necessarily lock out malicious actors, but it would raise the bar for infiltration and make cyberattacks more expensive for their perpetrators, said Andy Ozment, senior director for cybersecurity at the White House.

“The Cybersecurity Framework is essentially a realization of two things. First, basic hygiene will solve 80 percent of the problem,” he said, referring to simple procedures like regular virus scans and avoiding suspect links. “Second, right now, enemies don’t have to use their A game. They’re using their C or D game. The more we can push them, the more it costs them to intrude or attack, the less they’ll do it.”

The Department of Homeland Security is currently working to identify critical infrastructure that may be at risk of an attack, he said.

The potential incentives announced by the White House include cost sharing through cybersecurity insurance, grants and limits on future liability claims for companies that comply.

Speaking at the Bipartisan Policy Center forum, several representatives from the energy sector welcomed the idea of a central set of standards but cautioned that given the fast-moving nature of cybercrime, institutions would still need flexibility to respond.

“There’s no doubt that there’s low-hanging fruit — hygiene, having a security-aware workforce,” said Scott Saunders, information security officer with the Sacramento Municipal Utility District. “What we don’t want is overreaction creating overly burdensome regulations or regulations creating a culture of compliance while sacrificing security.”